.if !'po4a'hide' .TH security_file_certgen 8
.
.SH NAME
security_file_certgen \- SSL certificate generator for Squid.
.PP
Version 1.1
.
.SH SYNOPSIS
.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-cdhv] [\-s "
directory
.if !'po4a'hide' .B "\-M "
size
.if !'po4a'hide' .B "] [\-b "
fs_block_size
.if !'po4a'hide' .B ]
.
.SH DESCRIPTION
.B security_file_certgen
is an installed binary.
.PP
Because the generation and signing of SSL certificates takes time
Squid can use this helper as an external process to handle the work.
.
Communication occurs via TCP sockets bound to the loopback interface.
.
This helper can use a disk cache of certificates to improve response
times on repeated requests. It can also operate without a cache,
generating new certificates on every request.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-b fs_block_size
File system block size in bytes. Needed for processing natural size of certificate on disk.
Default value is 2048 bytes.
The following suffixes are accepted:
.B B, KB, MB, GB.
When no suffix is set,
.B B
is assumed.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-c
Initialize the SSL storage database and exit. Requires the
.B \-s
and
.B \-M
options to determine the storage location and size being created.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-d
Write debug info to stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-s directory
Directory path of SSL storage database. Requires the
.B \-M
option.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-M size
Maximum size of SSL certificate disk storage. Same suffixes supported by the
.B \-b
option can be used.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-v
Display the binary version details using stderr.
.
.SH KNOWN ISSUES
.PP
.B SSL errors after changing the CA
.
.PP
Certificates are stored in this database in signed form.
After any change to the signing CA in squid.conf be sure to erase and reinitialize the certificate database.
.
.PP
.B Certificate chaining
.
.PP
The versions 1.0 to 1.1 of this helper will not add chained intermediate CA certificates.
The client must have a full chain of trust from the root CA all the way
down to the end certificate generated by this program.
.
Signing with an intermediate CA needs to install both the
root and the intermediate public CA on the clients.
.
.SH CONFIGURATION
.PP
Before this helper can be used with disk storage, the storage area for new certificates must be initialized manually.
This is done from the command line using the 
.B \-c 
parameter.
.
.PP
For example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B @DEFAULT_SSL_CRTD@ \-c \-s @DEFAULT_SSL_DB_DIR@ \-M 4MB
.if !'po4a'hide' .RE
.
.PP
Certificates are stored in this database in signed form.
After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
.
.PP
For simple configuration the helper defaults can be used.
Only HTTP listening port options are required to enable generation and set the signing CA certificate.
.
.PP
For example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem
.if !'po4a'hide' .RE
.
.PP
For more customized configuration, the helper certificate storage directory location and size can be altered with the
.B sslcrtd_program
configuration directive. The number of helper processes running can be configured with the
and
.B ssl_crtd_children
configuration directive.
.
.PP
For example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@ \-s @DEFAULT_SSL_DB_DIR@ \-M 4MB
.if !'po4a'hide' .br
.if !'po4a'hide' .B sslcrtd_children 5
.if !'po4a'hide' .RE
.
.PP
To operate without disk storage, the helper should be configured explicitly without the
.B \-s
and
.B \-M
parameters.
.
.PP
For example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@
.if !'po4a'hide' .RE
.
.SH AUTHOR
This program was written by
.if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
.PP
This manual was written by
.if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
and
.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
.
.SH COPYRIGHT
.PP
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
.if !'po4a'hide' <squid-users@lists.squid-cache.org>
.
.SH REPORTING BUGS
Bug reports need to be made in English.
See https://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using https://bugs.squid-cache.org/
.PP
Report serious security bugs to
.I Squid Bugs <squid-bugs@lists.squid-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8), "
.if !'po4a'hide' .BR GPL "(7), "
.br
The Squid FAQ wiki
.if !'po4a'hide' https://wiki.squid-cache.org/SquidFaq
.br
The Squid Configuration Manual
.if !'po4a'hide' http://www.squid-cache.org/Doc/config/
